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Abstract. When studying safety properties of (formal) protocol mod- 
els, it is customary to view the scheduler as an adversary: an entity 
trying to falsify the safety property. We show that in the context of se- 
curity protocols, and in particular of anonymizing protocols, this gives 
the adversary too much power; for instance, the contents of encrypted 
messages and internal computations by the parties should be considered 
invisible to the adversary. 

We restrict the class of schedulers to a class of admissible schedulers 
which better model adversarial behaviour. These admissible schedulers 
base their decision solely on the past behaviour of the system that is 
visible to the adversary. 

Using this, we propose a definition of anonymity: for all admissible sched- 
ulers the identity of the users and the observations of the adversary are 
independent stochastic variables. We also develop a proof technique for 
typical cases that can be used to proof anonymity: a system is anony- 
mous if it is possible to 'exchange' the behaviour of two users without 
the adversary 'noticing'. 

1 Introduction 

Systems that include probabilities and nondeterminism are very convenient for 
modelling probabilistic (security) protocols. Nondeterminism is highly desirable 
feature for modelling implementation freedom, action of the environment, or in- 
complete knowledge about the system. 

It is often of use to analyze probabilistic properties of such systems as for exam- 
ple "in 30% of the cases sending a message is followed by receiving a message" or 
"the system terminates successfully with probability at least 0.9" . Probabilistic 
anonymity [BP05] is also such a property. In order to be able to consider such 
probabilistic properties we must first eliminate the nondeterminism present in 
the models. This is usually done by entities called schedulers or adversaries. It 
is common in the analysis of probabilistic systems to say that a model with 
nondeterminism and probability satisfies a probabilistic property if and only if 
it satisfies it no matter in which way the nondeterminism was resolved, i.e., for 
all possible schedulers. 



On the other hand, in security protocols, adversaries or schedulers are malicious 
entities that try to break the security of the protocol. Therefore, allowing just 
any scheduler is inadmissible. We show that the well-known Chaum's Dining 
Cryptographers (DC) protocol [Cha88] is not anonymous if we allow for all pos- 
sible schedulers. Since the protocol is well-known to be anonymous, this shows 
that for the treatment of probabilistic security properties, in particular proba- 
bilistic anonymity, the general approach to analyzing probabilistic systems does 
not directly fit. 

We propose a solution based on restricting the class of all schedulers to a smaller 
class of admissible schedulers. Then we say that a probabilistic security property 
holds for a given model, if the property holds after resolving the nondeterminism 
under all admissible schedulers. 

2 Probabilistic Automata 

In this section we gather preliminary notions and results related to probabilis- 
tic automata [SL94,Seg95]. Some of the formulations we borrow from [Sok05] 
and [Che06]. We shall model protocols with probabilistic automata. We start 
with a definition of probability distribution. 

Definition 2.1 (Probability distribution). A function yu: S — > [0, 1] is a dis- 
crete probability distribution, or distribution for short, on a set S if J2 x es = 
1. The set {x £ S\ n{x) > 0} is the support of /z and is denoted by supp(/x). By 
V{S) we denote the set of all discrete probability distributions on the set 5. 

We use the simple probabilistic automata [SL94,Seg95], or MDP's [Bel57] as 
models of our probabilistic processes. These models are very similar to the la- 
belled transition systems, with the only difference that the target of each tran- 
sition is a distribution over states instead of just a single next state. 

Definition 2.2 (Probabilistic automaton). A probabilistic automaton is a 
triple A = (S, A, a) where: 

— S is a set of states. 

— A is a set of actions or action labels. 

— a is a transition function a : S — > V(A x VS). 

A terminating state of A is a state with no outgoing transition, i.e. with a(s) = 
0. We might sometimes also specify an initial state so £ S of a probabilistic 
automaton A. We write s A /x for (a,/i) £ a(s), s £ S. Moreover, we write 
s a ~£ t for s, t £ S whenever s A it and i/(i) > 0. 

We will also need the notion of a fully probabilistic system. 

Definition 2.3 (Fully Probabilistic Automaton). A fully probabilistic au- 
tomaton is a triple A = (5, A, a) where: 



— S is a set of states. 

— A is a set of actions or action labels. 

— a is a transition function a : S —> "D(A x S) + 1. 

Here 1 = {*} denotes termination, i.e., if a(s) — * then s is a terminating state. 
It can also be understood as a zero-distribution i.e. a(s)(a,t) = for all a £ A 
and t £ S. By so £ S we sometimes denote an initial state of A. We write s^fi 
for /x = a(s), s £ S. Moreover, we write s ~* t for s,t £ S whenever s— >/z and 
fj,(a,t) > 0. 

A major difference between the (simple) probabilistic automata and the fully 
probabilistic ones is that the former can express nondctcrminism. In order to 
reason about probabilistic properties of a model with nondctcrminism we first 
resolve the nondeterminism with help of schedulers or adversaries - this leaves 
us with a fully probabilistic model whose probabilistic behaviour we can analyze. 
We explain this in the sequel. 

Definition 2.4 (Paths). A path of a probabilistic automaton A is a sequence 

Ol,Ml «2,([i2 

tt = s — > si — ► s 2 ■ ■ ■ 

where Sj £ S, ai £ A and Sj Sj+i. 

A path of a probabilistic automaton A is a sequence 

ai a2 
71" = «0 Si —> S 2 ■ ■ ■ 

where again Si £ S , ai £ A and Sj Sj+i. 

A path can be finite in which case it ends with a state. A path is complete if it 
is either infinite or finite ending in a terminating state. We let last(7r) denote the 
last state of a finite path it, and for arbitrary path first(7r) denotes its first state. 
A trace of a path is the sequence of actions in A* IJA°° obtained by removing the 

states (and the distributions), hence above trace(7r) = aia 2 The length of a 

finite path it, denoted by \ir\ is the number of actions in its trace. Let Paths(^4) 
denote the set of all paths, Paths- W (^4) the set of all finite paths, and CPaths(^l) 
the set of all complete paths of an automaton A. 

Paths are ordered by the prefix relation, which we denote by <. 

Let A be a (fully) probabilistic automaton and let 7^ for i > be finite paths 
of A all starting in the same initial state sq and such that 7^ < ttj for i < j and 
|7Tj| = i, for all i > 0. Then by tt = lim^oo 7r, we denote the infinite complete 
path with the property that tt^ < tt for all i > 0. 

Definition 2.5 (Cone). Let A be a (fully) probabilistic automaton and let 
7T £ Paths- ^(A) be given. The cone generated by tt is the set of paths 

C\ = {tt' £ CPaths(^) | tt < tt'}. 

From now on we fix an initial state. Given a fully probabilistic automaton A 
with an initial state So, we can calculate the probability- value denoted by P(tt) 



of any finite path tt starting in s as follows. 
P(*o) = 1 

P(tt A s) = P(7r) • fi(a, s) where last(7r) — > /i 



Let = CPaths(.A) be the sample space, and let Ta be the smallest tr-algebra 
generated by the cones. The following proposition (see [Seg95,Sok05]) states that 
P induces a unique probability measure on 

Proposition 1. Let A be a fully probabilistic automaton and let P denote the 
probability-value on paths. There exists a unique probability measure on Ta also 
denoted by P such that P(C 7r ) = P(n) for every finite path tt. □ 

This way we are able to measure the probability of certain events described 
by sets of paths in an automaton with no nondeterminism. Since our models 
include nondeterminism, we will first resolve it by means of schedulers or ad- 
versaries. Before we define adversaries note that we can describe the set of all 
sub-probability distributions on a set S by V(S + 1). These are functions whose 
sum of values on S is not necessarily equal to 1, but it is bounded by 1. 

Definition 2.6 (Scheduler). A scheduler for a probabilistic automaton A is a 
function 



satisfying £(ir)(a, n)>0 implies last(7r) A /1, for each finite path tt. By Sched(„4) 
we denote the set of all schedulers for A. 

Hence, a scheduler according to the previous definition imposes a probability dis- 
tribution on the possible non-deterministic transitions in each state. Therefore it 
is randomized. It is history dependent since it takes into account the path (his- 
tory) and not only the current state. It is partial since it gives a sub-probability 
distribution, i.e., it may halt the execution at any time. 

Definition 2.7 (Automaton under scheduler). A probabilistic automaton 
A = (5, A, a) together with a scheduler £ determine a fully probabilistic au- 
tomaton 



Its set of states are the finite paths of A, its initial state is the initial state of A 
(seen as a path with length 1), its actions are the same as those of A, and its 
transition function is defined as follows. For any tt G Paths^(.A), we have 
as(n) E V(A x Paths- W (^)) + 1 as 



Given a probabilistic automaton A and a scheduler £, we denote by P^ the prob- 
ability measure on sets of complete paths of the fully probabilistic automaton 
A^ , as in Proposition 1 . The corresponding a-algebra generated by cones of finite 
paths of A^ we denote by Q^. The elements of £2^ are measurable sets. 



£: Paths s "(^) -» V(A x V{S) + 1) 



A 6 = (Paths Sw (^),^,a 4 ). 




s 



By Q we denote the er-algebra generated by cones of finite paths of A (without 
fixing the scheduler!) and also call its elements measurable sets, without having 
a measure in mind. Actually, we will now show that any scheduler £ G Schcd(*4) 
induces a measure P(£) on a certain cr-algebra of paths in A such that 
ft ^ ft(Q- Hence, any element of ft can be measured by any of these measures 
P(£)- We proceed with the details. 

Define a function / : Paths-" (A^) -> Paths- "(.A) by 

/(tt) = last(Tr) (1) 

for any tt G A$. The function / is well-defined since states in A$ are the finite 
paths of A. Moreover, we have the following property. 

Lemma 1. For any tti,tt2 G Paths-" (A$) we have 

TTl < 7T 2 /(7Tl) < f(n 2 ) 

where the order on the left is the prefix order in Paths-" (A^) and on the right 
the prefix order in Paths-" (A). 

Proof. By the definition of A^ we have that for tt,tt' G Paths-" (A) i.e. states 
of A$: tt A tt' if and only if > and last(7r) in A for some fi and s. In 
other words if tt A tt', then tt < tt' and \tt'\ = \tt\ + 1 i.e. 7r' extends 7r in one 
step. Therefore, if we have a path ttq ^ 7Ti — * TT2 ■ • • in ^ , then for all its 
states: if i < j, then ^ < 7Tj and |7Tj = |7ii| + (j — i). So if7ri,7r 2 G Paths-"(^j) 
are such that tt\ < TT2, then last(7Ti) is a state in tt-i and therefore we at once 
get last(7Ti) < last (71-2). For the opposite implication, again from the definition 
we notice that if a path tt 6 Paths-" (.4) contains a state tt G Paths-" (-4), 
then it also contains all prefixes of tt as states. Hence, if last(7ri) < last^) for 
TTi, 7T2 G Paths-" (A^), then last(7Ti) is a state in 712 and also all its prefixes are. 
Since all paths start in the initial state (path), this implies that tt\<tt2- □ 

Corollary 1. The function f defined by (1) is injective. □ 

By Lemma 1 we can extend the function / to f : CPaths(^) — > CPaths(„4) 

by 

f(ftj _ |/W ^ is nnite 

|limi^i n/ty /(7Ti) 7T; < 7T, |7Tj| = 1 

The properties from Lemma 1 and Corollary 1 continue to hold for the extended 
function / as well. We will write / for / as well. 

Recall that fl^ denotes the cr-algebra on which the measure is defined. 
We now define a family of subsets fl^ of CPaths(„4) by 

ft^ = {II G CPaths(^) | f~\n) G % (2) 
The following properties are instances of standard measure-theoretic results. 
Lemma 2. The family is a a-algebra on CPaths(„4) and by 

P^(7T)=P c (.r 1 (i7)) 
for II G ftt a measure on fl^ is defined. 



Recall that fl denotes the cr-algebra on complete paths of A generated by the 
cones. We show that for any scheduler £, Q C ffi . Hence, the measurable sets 
(elements of fi) are indeed measurable by the measure induced by any scheduler. 

Lemma 3. For any scheduler £ 7 J? C [2% . 

Proof. Fix a scheduler £. Since £2 is generated by the cones it is enough to show 
that each cone is in Q^. Let Ck ,a be a cone in CPaths(„4) generated by the 
finite path 7To, i.e. 



We have 



C no ,A = G CPaths(*4) | 7T < tt} 



7T /(CPaths(^)) 

Ctt .a s /(tto) = 



by Lemma 1. Indeed, let 7To = /(tto)- Then 

f-\C« , A ) = {tt e CPaths(^ e ) | /(tt) > ttq} 

= {tt e CPaths(^ e ) | /(tt) > />„)} 
(Lem. 1) = {tt <= CPaths(^) | tt > tt } 

We next define two operations on probabilistic automata used for building com- 
posed models out of basic models: parallel composition and restriction. We com- 
pose probabilistic automata in parallel in the style of the process algebra ACP. 
That is, asynchronously with communication function given by a semigroup 
operation on the set of actions. This is the most general way of composing prob- 
abilistic automata in parallel (for an overview see [SV04]). 

Definition 2.8 (Parallel composition). We fix an action set A and a com- 
munication function • on A which is a partial commutative semigroup. Given 
two probabilistic automata Ai — (Si, A, ct\) and A2 = (S2, A, 02) with ac- 
tions A, their parallel composition is the probabilistic automaton A\ || A2 = 
(Si x 52, A, a) with states pairs of states of the original automata denoted by 
Si || S2, the same actions, and transition function defined as follows, si || S2 — > /U 
if and only if one of the following holds 

b c 

1. si — > /ii and S2 — * [12 for some actions b and c such that a = b ■ c and 

H = Hi ■ H2 meaning fj,(ti || t 2 ) = Hi(h) ■ n 2 (h)- 

2. si A fj,' where /t/(ti) = (j,(ti \\ s 2 ) for all states ti of the first automaton. 

3. S2 \i' where ^'(^2) = M s i II ^2) for all states £2 of the second automaton. 

Here, 1. represents a synchronous joint move of both of the automata, and 2. and 
3. represent the possibilities of an asynchronous move of each of the automata. 
In case s° and s° are the initial states of Ai and A2 , respectively, then the initial 
state of Ai || A2 is s° || s°. 



Often we will use input and output actions like o? and a!, respectively, in the 
style of CCS. In such cases we assume that the communication is defined as hand- 
shaking a? • a! = r a for r a a special invisible action. 

The operation of restriction is needed to prune out some branches of a proba- 
bilistic automaton that one need not consider. For example, we will commonly 
use restriction to get rid of parts of a probabilistic automaton that still wait on 
synchronization. 

Definition 2.9 (restriction). Fix a subset / C A of actions that are in the 
restricted set. Given an automaton A — {S, A, a), the automaton obtained from 
A by restricting the actions in / is IZi(A) = (S,A \ I, a') where the transitions 
of a' are defined as follows: s A ^ in IZi(A) if and only if s A ^ in A and a £ I. 

We now define bisimilarity - a behaviour equivalence on the states of a proba- 
bilistic automaton. For that we first need the notion of relation lifting. 

Definition 2.10 (Relation lifting). Let R be an equivalence relation on the 
set of states S of a probabilistic automaton A. Then R lifts to a relation =r on 
the set T>(S), as follows: 

/i = R v M s ) = 

sec sec 

for any equivalence class C E S/R. 

Definition 2.11 (Bisimulation, bisimilarity). Let A = (S,A,a) be a prob- 
abilistic automaton. An equivalence R on its set of states S is a bisimulation if 
and only if whenever (s, t) 6 R we have 

if s A then there exists pa such that t A ^ t and [i s =r [it- 

Two states s,i 6 5 are bisimilar, notation s ~ t if they are related by some 
bisimulation relation R. 

Note that bisimilarity ~ is the largest bisimulation on a given probabilistic au- 
tomaton A. 

3 Anonymizing Protocols 
3.1 Dining cryptographers 

The canonical example of an anonymizing protocol is Chaum's Dining Cryptog- 
raphers [Cha88] . In Chaum's introduction to this protocol, three cryptographers 
are sitting down to dine in a restaurant, when the waiter informs them that the 
bill has already been paid anonymously. They wonder whether one of them has 
paid the bill in advance, or whether the NSA has done so. Respecting each other's 



right to privacy, the carry out the following protocol. Each pair of cryptogra- 
phers flips a coin, invisible to the remaining cryptographer. Each cryptographer 
then reveals whether or not the two coins he say were equal or unequal. How- 
ever, if a cryptographer is paying, he states the opposite. An even number of 
"equals" now indicates that the NSA is paying; an odd number that one of the 
cryptographers is paying. 

Formally, Chaum states the result as follows. (Here we are restricting to the 
case with 3 cryptographers; Chaum's version is more general.) Here, F 2 is the 
field of two elements. 

Theorem 3.1 Let K be a uniformly distributed stochastic variable over ¥ 2 - Let 
I be a stochastic variable over F 2 , taking only values in {(1, 0, 0), (0, 1, 0), (0, 0, 1), 
(0,0,0)}. Let A be the stochastic variable over F 2 given by A — {I\ + K 2 + 
K 3} K i + I 2 + K 3 , K\ + K 2 + I3). Assume that K and I are independent. Then 

Va e¥ 3 2 \/ie {1, 2, 3} : F[I = i] > => P[A = a \ I = i] = \ 

and hence 

Va e Wl Vi e {1,2,3} : F[I = i] > F[A = a | I = i] = F[A = a}. □ 

In terms of the storyline, K represents the coin flips, I represents which 
cryptographer (if any) is paying, and A represents the every cryptographer says. 

We will now model this protocol as a probabilistic automaton. We will con- 
struct it as a parallel composition of seven components: the Master, who decides 
who will pay, the three cryptographers Crypti, and the three coins Coini. The 
action pi\ is used by the Master to indicate to Crypto that he should pay; the 
action rij! to indicate that he shouldn't. If no cryptographer is paying, the NSA 
is paying, which is not explicitly modelled here. The coin Coini is shared by 
Crypti and Crypti_i (taking the -1 modulo 3); the action hi_j\ represents Coin^ 
signalling to Cryptj that the coin was heads and similarly t^j! signals tails. At 
the end, the cryptographers state whether or not the two coins they saw were 
equal or not by means of the actions dj! (agree) or di (disagree). 

Master Coin; Crypt, 



• • • 




Now DC is the parallel composition of Master, Coin , Coirii, Coin 2 , Crypto, 
Crypti, and Crypt 2 with all actions of the form pi, rij, hij, and ijj hidden. 

Note that in Chaum's version, there is no assumption on the probability 
distribution of /; in our version this is modelled by the fact that the Master 
makes a non-deterministic choice between the four options. Since we allow prob- 
abilistic schedulers, we later recover all possible probability distributions about 
who is paying, just as in the original version. Independence between the choice 
of the master and the coin flips (/ and K in Chaum's version) comes for free 
in the automata model: distinct probabilistic choices are always assumed to be 
independent. 

In Section 4 we formulate what it means for DC (or more general, for an 
anonymity automaton) to be anonymous. 



3.2 Voting 

At a very high level, a voting protocol can be seen as a blackbox that inputs 
the voters' votes and outputs the result of the vote. For simplicity, assume the 
voters vote yes (1) or no (0), do not abstain, and that the numbers of voters is 
known. The result then is the number of yes-votes. 



VI 



E, vi 



In such a setting, it is conceivable that an observer has some a-priori knowl- 
edge about which voters are more likely to vote yes and which voters are more 
likely to vote no. Furthermore, there definitely is a-posteriori knowledge, since 
the vote result is made public. For instance, in the degenerate case where all 
voters vote the same way, everybody's vote is revealed. What we expect here 
from the voting protocol is not that the adversary has no knowledge about the 
votes (since he might already have a-priori knowledge), and also not that the 
adversary does not gain any knowledge from observing the protocol (since the 
vote result is revealed), but rather that observing the protocol does not augment 
the adversary's knowledge beyond learning the vote result. 

For the purely probabilistic case, this notion of anonymity is formalized in 
Section 4. 



4 Anonymity for Purely Probabilistic Systems 



This section defines anonymity systems and proposes a definition for anonymity 
in its simplest configuration, i.e., for purely probabilistic systems. Purely proba- 
bilistic systems are simpler because there is no need for schedulers. Throughout 
the following sections, this definitions will be incrementally modified towards a 
more general setting. 

Definition 4.1 (Anonymity system). Let M = (S,Act,a) be a fully proba- 
bilistic automaton. An anonymity system is a triple (M,I, {Ai}i € j, Acto) where 

1. / is the set of user identities, 

2. Ai is any measurable subset of CPaths(M) such that Ai n A j = for i ^ j. 

3. Acto C Act is the set of observable actions. 

4. Otrace(ir) is the sequence of elements in Acto obtained by removing form 
trace(7r) the elements in Act \ Acto- 

Define O as the set of observations, i.e., O — {trace(7r) | tt G Paths(M)}. We 
also define A = [J ieI Ai. 

Intuitively, the A;S are properties of the executions that the system is meant 
to hide. For example, in the case of the dining cryptographers Ai would be 
"cryptographer i payed" ; in a voting scheme "voter i voted for candidate c" , etc. 
Therefore, for the previous examples, the predicate A would be "some of the 
cryptographers payed" or "the vote count" respectively. 

Next, we propose a definition of anonymity for a purely probabilistic systems. 
We deviate from the definition proposed by Bhargava and Palamidcssi [BP05] for 
what we consider a more intuitive definition: We say that an anonymity system 
is anonymous if the probability of seeing a observation is independent of who 
performed the anonymous action (Ai), given that some anonymous action took 
place (A happened). The formal definition follows. 

Definition 4.2 (Anonymity). A system (M, I, {Ai}i e i, Acto) is said to be 
anonymous if 

Mi G J.Vo G 0.¥[tt G A] > F[Otrace(ir) = oA7re J 4,|7re^] = 

F[Otrace(ir) = o | tt S A] P[tt G A t | tt e A}. 

In the above probabilities, tt is drawn from the probability space Paths(M). 

The following lemma shows that this definition is equivalent to the one pro- 
posed in Bhargava and Palamidessi [BP05]. 

Lemma 4. A anonymity system is anonymous if and only if 

G J.Vo G 0.(F[n G Ai] > A P[tt G Aj] > 0) =>- P[Otrace(ir) = o \ n G A,] = 

¥[Otrace(ir) = o \ tt G Aj] 



Proof. The only if part is trivial. For the if part we have 
P[Otrace(n) = o | tt G A] P[tt G A | tt G A] 

= P[tt G A, I TT G A] ^ P[Oirace(7r) = o | tt G A,- n A] P[tt G A,- | tt G A] 

(since A, nAj = <D,i^ j) 
= P[tt G A t | tt G A] ^ P[Oirace(7r) = o | n G A,-] P[tt G Aj \ it G A] 

(by definition of 7r G A) 
= P[tt G A I tt G A] ¥[Otrace{ir) = o | tt G A] ^ P[tt G Aj | tt G A] 



(by hypothesis) 

= P[tt G A I tt £ A] P[Oirace(7r) = o | tt G A' 



P[tt e A] 

(since A,- C A) 

= P[tt G A I tt G A] ¥[Otrace{-K) = o \ tt G A] 
P[tt G A] P[0irace(7r) = o A tt G A] 



p[tt e A] p[tt g A] 

= P[Otrace(ir) = o A ir e Ai \ ir e A] 
(since A C A) 



which concludes the proof. □ 



5 Anonymity for Probabilistic Systems 



We now try to extend the notion of anonymity to probabilistic automata that 
are not purely probabilistic, but that still contain some non-deterministic tran- 
sitions. 



One obvious try is to say that M is anonymous if is anonymous for all 
schedulers £ of M. The following automaton M and scheduler £ show that this 



definition would be problematic. 



M M 5 




x \ ) X2 xl /\ /V 2 

• • o o • 

Here a\ and a-i are invisible actions; they represent which user performed the 
action that was to remain hidden. The actions x\ and x-i are observable. Intu- 
itively, because the adversary cannot see the messages a\ and ct2, she cannot 
learn which user actually performed the hidden action. On the right hand side 
is shown and the branches the scheduler does not take are indicated by 
dotted arrows. Now P^[ai | x{\ = 1, but P{[ai] = \, showing that with this 
particular scheduler M$ is not anonymous. 

Note that this phenomenon can easily occur as a consequence of communica- 
tion non-determinism. For instance, consider the following three automata and 
their parallel composition in which c? and c! are hidden. In this example the order 
of the messages x\ and xi depends on a race-condition, but a scheduler can make 
it depend on whether a\ or 02 was taken. I.e., there exists a scheduler £ such that 
P^[xiX2 I ai] = P^[x 2 xi I a 2 ] — 1 and hence P^[x2^i | ai] = P^[a;ix 2 | a 2 ] = 0. 



• • • • 




In fact, the Dining Cryptographers example from Section 3.1 suffers from exactly 
the same problem. The order in which the cryptographers say agree i or disagree i 



is determined by the scheduler and it is possible to have a scheduler that makes 
the paying cryptographer, if any, go last. 

In [BP05], a system M is called anonymous if for all schedulers £, £, for all 
observables o, and for all hidden actions a^, aj such that [e^] > and P^a.,] > 
0, PJo | Oj] = P^[o | a,j]. This definition, of course, has the same problems as 
above; in the Dining Cryptographers example in [BP05] this is solved by fixing 
the order in which the the cryptographers say agree i or disagree^ However, also a 
non-deterministic choice between two otherwise anonymous systems can become 
non-anonymous with this definition. For instance, let P be some anonymous 
system. For simplicity, assume that P is fully probabilistic (e.g., the Dining 
Cryptographers with a probabilistic master and a fixed scheduler) and let P' be 
a variant of P in which the visible actions have been renamed (e.g., the actions 
agree i and disagree i are renamed to equal i and unequal^. Now consider the 
probabilistic automaton M which non-deterministically chooses between P and 
P': 

o 




This automaton has only two schedulers: the one that chooses the left branch 
and then executes P and the one that chooses the right branch and then executes 
P' . Let's call these schedulers / and r respectively. Now pick any hidden action 
di and observable o such that P;[o | 04] > 0. (e.g., o — agree 1 disagree^ agree 3 
and dj = pay 1 , for which P[o | pay -J = j). Then, nevertheless, P r [o | aj] = 0, 
because the observation o cannot occur in P 1 . So, even though intuitively this 
system should be anonymous, it is not so according to the definition in [BP05]. 

Every time the problem is that the scheduler has access to information it 
shouldn't have. When one specifies a protocol by giving a probabilistic automa- 
ton, an implementation of this protocol has to implement a scheduler as well. 
This is especially obvious if the non-determinism originates from communication. 
When we identify schedulers with adversaries, as is common, it becomes clear 
that the scheduler should not have access to too much information. In the next 
section we define a class of schedulers, called admissible schedulers that base 
their scheduling behavior on the information an adversary actually has access 
to: the observable history of the system. 



6 Admissible Schedulers 

As explained in the previous section, defining anonymity as a condition that 
should hold true for all possible schedulers is problematic. It is usual to quan- 
tify over all schedulers when showing theoretical properties of systems with both 
probabilities and non-determinism - for example we may say "no matter how the 
non-determinism is resolved, the probability of an event X is at least p" . How- 
ever, in the analysis of security protocols, for example with respect to anonymity, 



we would like to quantify over all possible "realistic" adversaries. These are not 
all possible schedulers as in our theoretic considerations since such a realistic 
adversary is not able to see all details of the probabilistic automaton under 
consideration. Hence, considering that the adversary is any scheduler enables 
the adversary to leak information where it normally could not. We call such 
schedulers interfering schedulers. This way protocols that are well-known to be 
anonymous turn out not to be anonymous. One such example is the dining cryp- 
tographers protocol explained above. We show that one gets a better definition 
of anonymity if one restricts the power of the schedulers, in a realistic way. In 
this section we define the type of schedulers with restricted power that we con- 
sider good enough for showing anonymity of certain protocols. We call these 
schedulers admissible. 

Schedulers with restricted power have been treated in the literature. In gen- 
eral, as explained by Segala in [Seg95] , a scheduler with restricted power is given 
by defining two equivalences, one on the set of finite paths =1 and another one 
=2 on the set of possible transition, in this case V(A x S). Then a scheduler £ 
is oblivious relative to (=1, = 2 ) if and only if for any two paths iri,n 2 we have 

7Ti =1 7T 2 =>■ £(7Ti) =2 £(7T 2 ). 

6.1 Admissible schedulers based on bisimulation 

In this section we specify =i and =2 and obtain a class of oblivious adversaries 
that suits the anonymity definition. 

Defined =1 on the set of finite paths of an automaton M as, 

n 1 =1 7T2 (trace(7i"i) = trace(7T2) A last (711) ~ last (7^)). 

Recall that we defined =r as the lifting of the equivalence relation R on a set 
S to an equivalence relation on V(A x S). For =2 we take the equivalence =~ 
on T>(A x S). This is well defined since bisimilarity is an equivalence. Hence, we 
obtain a class of oblivious schedulers relative (=1, =^}. These schedulers we call 
admissible. 

Definition 6.1 (admissible scheduler). A scheduler is admissible if for any 
two finite paths ~K\ and 7T2 we have 

(trace(7Ti) = trace^) Alast(7Ti) ~ last (7^)) =>• £(7Ti) =^ £(^2). 

Intuitively, the definition of a admissible scheduler enforces that in cases 
when the schedular has observed the same history (given by the traces of the 
paths) and is in bisimilar states, it must schedule "the same" transitions up to 
bisimilarity. 

6.2 Existence 

We now show that admissible schedulers do exist. In fact, we even show that ad- 
missible history- independent schedulers exist. A scheduler £ is history-independent 
if it is completely determined by its image of paths of length i.e. if for any path 
7T it holds that £(71") = £(last(7r)). 



Theorem 6.2 (Existence) There exists a admissible scheduler for every prob- 
abilistic automaton. 



Proof. Take a probabilistic automaton M. We first show that there exists a map 
£ : 5" -> P(A x5)U {±} with the property that £(s) = _L if and only if s 
terminates and for all s, t 6 S, if s ~ i, then £(s) =^ £(t). 
Consider the set of partial maps 

(£(s) = _L s terminates 

£: S ^V(Ax S)U{±} s ~ t => £(s) =„ 
for s,t € dom(£) 

This set is not empty since the unique partial map with empty domain belongs 
to it. We define an order < on E in a standard way by 

i\ < 6 (dom(^i) C dom(&) A 6ldom(a) = 

Consider a chain (Ci)ie/ i n Let £ = Uj £ j£j. This means that dom(^) = 
Ui e idom(^i) and if a; € cfom(£), then £(x) = &(x) for i £ I such that x e 
dom(£,i). Note that £ is well-defined since (£»)»£/ is a chain. Moreover, it is 
obvious that < £ for all i £ I. We next check that (cS. Let s,t G dom(£), 
such that s ~ t. Then s e dom(^i) and t G dom(^j) for some i,j G I and either 
£i < £2 or £2 < £i- Assume £i < Then s,( 6 dom(^j) and £j G S so we 
have that £j(s) =~ £,j(t) showing that £(s) =^ £(f) and we have established that 

Hence, every ascending chain in E has an upper bound. By the Lemma of 
Zorn we conclude that E has a maximal element. Let a be such a maximal 
clement in E. We claim that a is a total map. Assume opposite, i.e., there exists 
s E S \ dom(a). If there exists ate dom(cr) such that s ~ i then we define a 
new partial scheduler u' as follows. If a(t) = T we put ct'(s) = _L. If <r(f) = ii t , 
then, since f — > /x t and s ~ t, there exists it s such that s — > /x s and it t =^ it s . In 
this case we put cr'(s) = Moreover, put ct'(x) = a(x) for x G dom(a). Then 
we have a' > a and o 7 G contradicting the maximality of a. Hence a is a total 
map. 

Finally, we consider the (history-independent) scheduler a induced by a, i.e., 
defined by &(w) = er(last(7r)) for any finite path ir. This scheduler is admissible. 
Namely, given m and iT2 such that trace(7Ti) = trace(7r 2 ) and last(7Ti) ~ last(7r 2 ) 
we have, since a G E, that 

ct(7Ti) = Cr(laSt(7Ti)) =^ (7(last(7T 2 )) = ct(7T2) 

which completes the proof. 

□ 

We are now ready to define anonymity for probabilistic systems, the formal 
definition follows. 

Definition 6.3 (Anonymity). A system (M, I, {Ai}i e i, Acto) is said to be 
anonymous if for all admissible schedulers £, for alH G 7 and for all o G O 

P ? [tt G A] > => P ? [Otrace(7r) = oA7r6i 1 |7rei] = 

P 5 [Oimce(7r) = o | tt G A] P £ [tt G ,4* | tt G A]. 



7 Anonymity Examples 



In the purely non-deterministic setting, anonymity of a system is often proved 
(or denned) as follows: take two users A and B and a trace in which user A 
is "the culprit" . Now find a trace that looks the same to the adversary, but in 
which user B is "the culprit" [HO03,GHvRP05,MVdV04,HK07]. In fact, this 
new trace is often most easily obtained by switching the behavior of A and B. 

In this section, we make this technique explicit for anonymity in our setting, 
with mixed probability and non-determinism. 



Definition 7.1. Let M be a probabilistic automaton. A map a: S — ► S is 
called an Ado -automorphism if a induces an automorphism of the automation 
M T , which is a copy of M with all actions not in Acto renamed to r. 



The following result generalized the above-mentioned proof technique that is 
commonly used for a purely non-deterministic setting. 



Theorem 7.2 Consider an anonymity system (M, I, Acto)- Suppose that for 
every i,j £ I there exists a Acto -automorphism ct: S — > S such that a{Ai) = Aj . 
Then the system is anonymous. 



Anonymity of the Dining Cryptographers 



We can now apply the techniques from the previous section to the Dining Cryp- 
tographers. Concretely, we show that there exists a Acto-automorphism ex- 
changing the behaviour of the Crypt i and Crypt2; by symmetry, the same holds 
for the other two combinations. 

Consider the endomorphisms of Master and Coin2 indicated in the following 
figure. The states in the left copy that are not explicitly mapped (by a dotted 
arrow) to a state in the right copy are mapped to themselves. 



n/\ \ ! ' - " 1 ' 
/ \ 
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n 2 \ 
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P2! 


112! 
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Also consider the identity endomorphism on Crypti (for i = 0, 1, 2) and on Coinj 
(for % == 0,1). Taking the product of these seven endomorphisms, we obtain an 
endomorphism a of DC. 
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